Oracle Linux 7 : poppler (ELSA-2019-2022)

critical Nessus Plugin ID 180866

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-2022 advisory.

evince [3.28.2-8]
- Do not free EvDocumentInfo in ev_window_save_print_settings(),
- it is freed in EvDocuments destructor
- Resolves: #1541358

[3.28.2-7]
- Do not store page-scaling for documents with enforced
- page-scaling
- Resolves: #1541358

[3.28.2-6]
- Use PrintScaling preference stored in PDFs
- Resolves: #1541358

okular [4.10.5-7]
- Fix patch adding information about substituting font Resolves: bz#1458037

[4.10.5-6]
- Fix broken dependency on kde-runtime Resolves: bz#1670723

[4.10.5-5]
- Add information about substituting font Resolves: bz#1458037

poppler [0.26.5-38]
- Constrain number of cycles in rescale filter
- Compute correct coverage values for box filter
- Resolves: #1688417

[0.26.5-37]
- Fix tiling patterns when pattern cell is too far
- Resolves: #1378961

[0.26.5-36]
- Fix version from which PrintScaling is available
- Resolves: #1658304

[0.26.5-35]
- Export PrintScaling viewer preference in glib frontend
- Related: #1658304

[0.26.5-34]
- Fix a memory leak detected by Coverity Scan
- Related: #1636103

[0.26.5-33]
- Only embed mime data for gray/rgb/cmyk colorspaces
- if image decode map is identity
- Resolves: #1636103

[0.26.5-32]
- Fix possible crash on broken files in ImageStream::getLine()
- Resolves: #1685267

[0.26.5-31]
- Avoid global display profile state becoming an uncontrolled
- memory leak
- Resolves: #1648860

[0.26.5-30]
- Check for missing pages in documents passed to pdfunite
- Resolves: #1677348

[0.26.5-29]
- Dont reuse 'entry' in Parser::makeStream
- Resolves: #1677058

[0.26.5-28]
- Move the fileSpec.dictLookup call inside fileSpec.isDict if
- Resolves: #1677029

[0.26.5-27]
- Defend against requests for negative XRef indices
- Resolves: #1673700

[0.26.5-26]
- Add font substituteName() getter to Qt bindings
- Resolves: bz#1639595

[0.26.5-25]
- Check for valid file name of embedded file
- Resolves: #1651307

[0.26.5-24]
- Check for valid embedded file before trying to save it
- Resolves: #1651306

[0.26.5-23]
- Check for stream before calling stream methods
- when saving an embedded file
- Resolves: #1651305

[0.26.5-22]
- Fix crash on missing embedded file
- Resolves: #1651309

[0.26.5-21]
- Avoid cycles in PDF parsing
- Resolves: #1640295

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2019-2022.html

Plugin Details

Severity: Critical

ID: 180866

File Name: oraclelinux_ELSA-2019-2022.nasl

Version: 1.2

Type: local

Agent: unix

Published: 9/7/2023

Updated: 11/1/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9631

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:poppler-demos, p-cpe:/a:oracle:linux:poppler-devel, p-cpe:/a:oracle:linux:evince-browser-plugin, p-cpe:/a:oracle:linux:poppler-qt, p-cpe:/a:oracle:linux:poppler-cpp-devel, p-cpe:/a:oracle:linux:okular, p-cpe:/a:oracle:linux:evince-dvi, p-cpe:/a:oracle:linux:okular-libs, p-cpe:/a:oracle:linux:evince, p-cpe:/a:oracle:linux:evince-libs, p-cpe:/a:oracle:linux:poppler-utils, p-cpe:/a:oracle:linux:evince-nautilus, p-cpe:/a:oracle:linux:poppler, p-cpe:/a:oracle:linux:poppler-glib-devel, p-cpe:/a:oracle:linux:poppler-glib, cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:evince-devel, p-cpe:/a:oracle:linux:okular-part, p-cpe:/a:oracle:linux:poppler-qt-devel, p-cpe:/a:oracle:linux:okular-devel, p-cpe:/a:oracle:linux:poppler-cpp

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/13/2019

Vulnerability Publication Date: 9/6/2018

Reference Information

CVE: CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-20662, CVE-2019-7310, CVE-2019-9200, CVE-2019-9631

IAVB: 2018-B-0151-S, 2019-B-0001-S, 2019-B-0011-S, 2019-B-0021-S